Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a Web application and have run a XSS scan on it and it reports that one of my pages that has a Java applet in it could potentially be open to XSS.
The test managed to assign a javascript alert box to the following HTML code:
<param name='id' value='' onMouseOver=alert(40041)>
My question is – Is this a valid test? Will doing any XSS javascript manipulation on Param objects cause any real world issue? I don’t think a MouseOver on a param object will do anything.
Thanks
This is a valid test and it may be a serious vulnerability.
If contents of
valuewas not escaped then the attacker could close the tag and add any other script.Even if
<>are escaped/stripped, but quotes aren’t, it may still be exploitable: attacker could attach event handlers likeonloadandonerror. In modern browsers every element can be made visible (e.g. even<head>), sostylecould make<param>hoverable too.It’s quite simple to protect against XSS like this. When generating attributes always use quotes and in the value change:
&to&<to<,'to&x39;"to".and you won’t have to worry what bad things could happen with hijacked
<param>.